{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27792", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-06T18:06:54.462Z", "datePublished": "2025-03-11T21:49:51.188Z", "dateUpdated": "2025-03-12T13:52:10.401Z"}, "containers": {"cna": {"title": "Opal vulnerable to CSRF protection bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358"}], "affected": [{"vendor": "obiba", "product": "opal", "versions": [{"version": "< 5.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-11T21:49:51.188Z"}, "descriptions": [{"lang": "en", "value": "Opal is OBiBa\u2019s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using `<meta name=\"referrer\" content=\"never\">`, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue."}], "source": {"advisory": "GHSA-27vw-29rq-c358", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-12T13:52:02.151494Z", "id": "CVE-2025-27792", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:52:10.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27792", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-12T13:52:02.151494Z"}}}], "references": [{"url": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T13:51:53.648Z"}}], "cna": {"title": "Opal vulnerable to CSRF protection bypass", "source": {"advisory": "GHSA-27vw-29rq-c358", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "obiba", "product": "opal", "versions": [{"status": "affected", "version": "< 5.1.1"}]}], "references": [{"url": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358", "name": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Opal is OBiBa\u2019s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using `<meta name=\"referrer\" content=\"never\">`, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-11T21:49:51.188Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27792", "state": "PUBLISHED", "dateUpdated": "2025-03-12T13:52:10.401Z", "dateReserved": "2025-03-06T18:06:54.462Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-11T21:49:51.188Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Opal is OBiBa\u2019s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, the protections against cross-site request forgery (CSRF) were insufficient application-wide. The referrer header is checked, and if it is invalid, the server returns 403. However, the referrer header can be dropped from CSRF requests using `<meta name=\"referrer\" content=\"never\">`, effectively bypassing this protection. Version 5.1.1 contains a patch for the issue."}, {"lang": "es", "value": "Opal es la aplicaci\u00f3n principal de base de datos de OBiBa para biobancos o estudios epidemiol\u00f3gicos. Antes de la versi\u00f3n 5.1.1, la protecci\u00f3n contra cross-site request forgery (CSRF) era insuficiente en toda la aplicaci\u00f3n. Se verifica el encabezado de referencia y, si no es v\u00e1lido, el servidor devuelve el error 403. Sin embargo, se puede omitir el encabezado de referencia de las solicitudes CSRF mediante ``, lo que permite eludir esta protecci\u00f3n. La versi\u00f3n 5.1.1 incluye un parche para este problema."}], "id": "CVE-2025-27792", "lastModified": "2025-03-12T14:15:16.930", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-11T22:15:13.567", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/obiba/opal/security/advisories/GHSA-27vw-29rq-c358"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}